Pendum

PCI SSC issues draft of PCI guidelines for ATMs; ATMIA asks for clarification

The PCI Security Standards Council announced last week that it is seeking feedback from participating organizations on its draft publication of ATM security guidelines. The ATM Industry Association has already expressed one point of concern about terms used in the draft.

The ATM Security Guidelines Information Supplement

It's a very long name for a very simple idea: Secure the whole machine, not just parts of it. The draft document produced by the council is its response to industry requests for a more comprehensive guide for securing ATM data. PCI Standards currently address ATM PIN pads, but not the ATM as a unit — leaving a guidance gap when it comes to growing threats such as skimming fraud.

In the absence of global industry guidelines for securing ATMs, the Council has developed a set of best practices to help operators ensure that their machines will not be compromised. These standards are  based on existing standards from industries that include IT, security and payment card, among others.

The draft ATM Security Guidelines Information Supplement provides an introduction to ATM security and outlines best practices that address software, hardware and device components of the ATM.

A 60-day opportunity for review and comment

As a benefit of their involvement in the PCI community, participating organizations have the opportunity to provide feedback in the development of PCI standards and resources. The council has established a review period for the draft guidelines of 60 days, during which participating organizations can read and comment on the draft via the PO portal. The draft will then be revised and finalized before the end of the year.

"We rely on industry feedback to develop PCI Standards and resources," said Bob Russo, general manager of the PCI Security Standards Council, in announcement about the draft guidelines. "By sharing an early version of the guidelines with the PCI community, we’re aiming to ensure these best practices reflect the key challenges and areas of concerns when it comes to addressing ATM security.

Specifically, we encourage ATM manufacturers and software vendors to provide their input, as experts in the space and as those will be applying these guidelines in their everyday business."

'Standards' — or 'best practices'?

ATM Industry Association CEO, Mike Lee, is also encouraging comment before the November 13 cutoff date. Lee is urging POs to request clarification of terms used in the document; his concern is with the draft's use of the words "standards" and "best practices" interchangeably.

"These are two very different beasts," Lee wrote in an email to ATM Marketplace. "Standards need to be enforced and global standards need to be enforced globally — at great on-going cost and effort. Best practices are minimum industry security recommendations and are not enforced as such; they are subscribed to voluntarily in a spirit of self-regulation. These two approaches are miles apart."

Lee is hoping that if enough POs speak up about the standards/best practices question, the PCI SSC will clarify its intentions about enforcement and revise the guidelines to be consistent with its position — whichever it is.

"I urge the PCI Security Standards Council to specify in a transparent manner as soon as possible whether they are producing enforceable ATM security standards — which they intend to enforce — or best practices which the industry should adopt as part of a voluntary code of practice," Lee wrote. " … this confusion of terms should be cleared up as soon as possible."

For more on this topic, visit the security research center.

Related Content

User Comments – Give us your opinion!
  • Semeh Arbi
    41094891
    Please can you provide me with the draft of PCI guidelines for ATMs ?
  • Suzanne Cluckey
    40982514
    Downloadable PDFs of PCI security standards are available at the PCI Security Standards Council website: https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0
Products & Services

Web-based Clients

http://global.networldalliance.com/new/images/products/6621.png

6621/Web-based-Clients

Branch Transformation

http://global.networldalliance.com/new/images/products/6905.png

6905/Branch-Transformation

Repair Center

http://global.networldalliance.com/new/images/products/4105.png

4105/Repair-Center

TTW ATM

http://global.networldalliance.com/new/images/products/Itautec_IW2502.gif

730/TTW-ATM

ATM Remote Monitoring, The DPL Group AC Disconnect Module

http://global.networldalliance.com/new/images/products/4051.png

4051/ATM-Remote-Monitoring-The-DPL-Group-AC-Disconnect-Module

ATM Transaction Processing - Merchants

http://global.networldalliance.com/new/images/products/5945.png

5945/ATM-Transaction-Processing-Merchants

BulleT wireless secure card reader authenticator

http://global.networldalliance.com/new/images/products/4296.png

4296/BulleT-wireless-secure-card-reader-authenticator

Small Footprint, High Performance - Cash Recycler H68NL

http://global.networldalliance.com/new/images/products/4331.png

4331/Small-Footprint-High-Performance-Cash-Recycler-H68NL

FREE ATMs, Turnkey Operations and Cash Services

http://global.networldalliance.com/new/images/products/5947.png

5947/FREE-ATMs-Turnkey-Operations-and-Cash-Services

ATM Transaction Processing - IADs, ISOs, Distributors

http://global.networldalliance.com/new/images/products/5943.png

5943/ATM-Transaction-Processing-IADs-ISOs-Distributors

ATM & Mobile Innovation Summit
Request Information From Suppliers
Save time looking for suppliers. Complete this form to submit a Request for Information to our entire network of partners.
ATMIA